Why did I and 40 other colleagues find ourselves called to explain our personal use of OpenClaw with Cisco’s EVP of Operations?
Because with the momentum building around the new innovation, Thimaya Subaiya – Executive Vice President of Operations at Cisco – had invited early OpenClaw adopters across the company (plus the SVP of IT) to share our experiences openly.
Needless to say, I was up for the challenge. Because when an open-source AI agent racks up 180,000 stars in a matter of weeks, gets personally tested by Mark Zuckerberg, and then sees its creator hired by OpenAI, you can’t help but pay attention.
OpenClaw is an open source, locally deployed AI agent that is supposed to be able to execute tasks across your entire digital life. According to developers, it can read your messages, automate your browser, manage files, execute shell commands, summarize five-hour videos, install its own tools, and effectively operate like a digital coworker living on your machine.
At least, this was the promise. So, did the hype match reality?
Why OpenClaw is impossible to ignore
At Cisco’s AI Summit in February 2026, Sam Altman directly referenced OpenClaw in conversation with Jeetu Patel, describing it as a fusion of innovative ideas that make persistent, collaborative AI feel tangible.
There’s also the fact that Mark Zuckerberg reportedly tested OpenClaw himself. Meta had just acquired Manus AI in a multibillion-dollar deal to strengthen its agent strategy, so the space was heating up fast.
“As someone who spends a lot of time thinking about
AI security and enterprise controls,
I couldn’t just read about it. I needed to see what it could do.”
First Impressions
I installed OpenClaw on my Mac with one goal in mind – I wanted frictionless delegation through iMessage. In my head, it was simple.
I would message it:
“Rebook that restaurant reservation.”
“Summarize this x.com thread and save to my apple notes.”
“Pull insights from this YouTube link and prep slides.”
It was going to be seamless – a simple message sent through iMessage and the task handled in the background without me bouncing between apps. The setup process quickly grounded that idea. To enable the integration, OpenClaw requires full disk access for the terminal along with automation permissions for Messages.app, which effectively grants it broad visibility into your system and message database.
For an always-on agent with shell access and the ability to install its own tools, that level of privilege is significant.
“Even on my personal laptop, it felt like granting a master key to something designed to act autonomously.”
I paused there, not out of fear or suspicion, but out of respect for what the tool is capable of. Powerful agents deserve clear boundaries, and that moment crystalized the balance between excitement and responsibility.
Hardening Before Experimenting
I approached OpenClaw the same way I would any powerful new platform in an enterprise environment – I assumed it was capable, and then focused on reducing unnecessary exposure. I began by enabling the built-in sandbox mode. OpenClaw supports multiple isolation levels, including running tools inside Docker containers while keeping the main gateway on the host. That separation meaningfully limits the blast radius if something misbehaves.
From there, I created a dedicated non-admin macOS user account purely for OpenClaw so it wouldn’t operate with elevated privileges. I also confirmed FileVault encryption was enabled, tightened firewall rules, and bound the gateway strictly to localhost to prevent any unintended external access.
Lastly, I held back on high-privilege integrations. Rather than granting full disk access for iMessage straight away, I started with lower-risk capabilities such as summarization and transcription.
This was when it started to get really interesting.
Putting OpenClaw to Work
First, I sent it a YouTube link to a five-hour event recording. Something I normally would not even attempt to process manually unless absolutely necessary.
It responded with:
- A full searchable transcript
- A concise executive summary
- Extracted key themes
- Auto-selected visual frames that were actually usable for slides
That alone saved me a serious amount of time. There was no scrubbing through video, pausing and rewinding, or manual note-taking.
Next, I tested structured research prompts. I had it analyze technical documentation and synthesize risk considerations. The responses were way more than generic summaries – they were context-aware, structured, and actionable.
While the output quality was impressive, the persistence also stood out. OpenClaw retains memory and can build on prior tasks. So, it feels less like a chatbot session and more like an evolving assistant.
“You totally understand why people call it an ‘agent’ rather than just an interface to a model.”
The Self-Modifying Angle
One of OpenClaw’s defining traits is its ability to install new tools and Model Context Protocol components on its own. That autonomy is what makes it feel like a true agent rather than a scripted assistant.
In controlled environments, the flexibility is impressive. It can extend itself to support new workflows without manual coding, and the ClawHub marketplace rapidly expands its capabilities through community-built skills.
That same autonomy, however, requires discipline. An agent that can modify itself, pull external code, and execute commands locally needs guardrails.
To the developer’s credit, security controls are evolving, with stronger sandbox protections, tighter Docker restrictions, and improved marketplace moderation. It is maturing responsibly, but I would still only deploy it in enterprise settings with proper governance, scanning, and network controls in place.
The Enterprise Reality
This is where the tension becomes clear. OpenClaw represents where AI is heading – persistent, local agents that automate meaningful work across systems – which is very exciting.
But unmanaged deployment on corporate laptops would introduce real risk. High privilege access combined with autonomous behavior expands the attack surface, and a malicious or poorly vetted skill could lead to data exfiltration, token theft, or supply chain issues.
“Reports of questionable skills in community repositories show that this is not just theoretical.”
My take – the answer isn’t to shut innovation down, but to approach it with structure. Pilot in sandboxed environments, enforce zero-trust network controls, run under non-admin accounts, scan skills before installation, and monitor behavior at runtime.
Which is exactly the same approach Cisco takes. Cisco Secure Access, our security service edge platform, can apply zero-trust policies to block or control access to sites like openclaw.ai on managed devices – ensuring experimentation happens intentionally.
Beyond access control, Cisco AI Defense provides runtime safeguards purpose-built for AI systems, including supply-chain vetting, prompt injection detection, and behavioral monitoring for exfiltration risks in agent environments.
We have also open-sourced complementary tools such as MCP Scanner and Skill Scanner, designed specifically to probe Model Context Protocol servers and agent skills for vulnerabilities, prompt injection risks, and malicious behavior before deployment.
With agent ecosystems evolving like this, risk no longer sits only within individual skills – but in how agents communicate and chain tasks together. So, Cisco also offers an open-source A2A Scanner that addresses this issue by evaluating agent-to-agent interactions, helping unsafe trust boundaries and unintended exposure before those connections scale in production.
So… is it actually good?
Yes. OpenClaw is definitely not a gimmick or another wrapper around a large language model. It’s a genuine step toward usable agentic AI that (naturally) requires maturity, boundaries, and thoughtful deployment.
“But once hardened, it delivers tangible value.”
The five-hour video test alone justified the install – its ability to orchestrate research, summarize, extract insights, and automate repetitive digital workflows is impressive. Would I give it unrestricted access to my primary system? No. Would I continue experimenting with it in a controlled environment? Absolutely.
Cisco leadership’s support for hands-on experimentation, balanced with the increasingly critical human in the loop and clear governance, created the conditions for genuine, real-world evaluation.” That kind of approach matters, because innovation moves forward most effectively when it is tested rigorously and handled with responsibility.
Agentic AI will continue to evolve rapidly. The organizations that benefit most will be those that pair innovation with layered controls – secure access at the edge, runtime AI protection, and proactive skill vetting.
To close out, OpenClaw feels like an early version of something inevitable. It’s not enterprise-ready out of the box – but it’s directionally correct. If you experiment with it, I recommend doing it properly – isolate it, constrain it, and monitor it. The hype is definitely not empty – it may just be early.
